Quote:
|
Originally Posted by Marshac
if your mail server only communicates with clients on the local subnet, then why would spoofing a DNS entry matter? Maybe Laurence can fill me in  |
I knew I had phrased it confusingly. My orignal thought was: my server has an imap server. My mail client on my workstation is running. Local lan only, so no encryption. However, if the DNS suddenly pointed my mail client to a new server it sends the next "check mail" transaction complete with unencrypted password to the spoofed server. If they were smart enough to capture it and try it to ssh back into my server it would've worked (on my home server; on my web server none of the passwords are the same for accounts or mail access.) After poking around, I don't think that's what happened. In fact I don't think I was hacked...
Quote:
|
So far my server ('kitchen'... what are you cooking?) hasn't been hax0red yet.... it's running Win2k3, Exchange 2k3, and BlueDragon (ColdFusion/JSP...none of that PHP for me....bleh)
|
I don't fully understand how they got my hosted web server. It's linux, and somehow (xmlrpc remote code execution vulnerability I presume) they changed the password for the daemon user and logged in interactively as daemon then su'ed to root. (I don't know how they did that; I must've had a privilege escalation vulnerability I haven't yet identified.) Luckily something got goofed up and my server dropped off the network. Actually I wonder if my host blocked my system off for spamming, but if so they didn't tell me they did. But the home server...
Quote:
Not yet, but I'm going to real soon. The web server hack woke me up. If it hadn't have gone down I wouldn't have noticed the problem for a long time. My IP was already being bulkmail filtered by Yahoo when I got it; good luck on my ever getting off their list now.
Quote:
|
Edit: is your network at your house (ie: 100% yours), or is it shared with other people? perhaps someone poisoned your ARP table and performed a man-in-the-middle attack? Just a thought
|
It's all mine. But it was my goof that compromised my home server. I have static IPs but added a private NAT'ted logical subnet. I accidentally enabled NAT both ways which effectively bypassed my main firewall rules *and* made all inbound packets appear to originate on my LAN relaxing my secondary firewall rules and leading the server to believe all inbound traffic was local. I wasn't actually hacked; it's just that my server effectively became an open mail relay through my own misconfiguration.
Even though I now think my logins were not compromised I'm going to rebuild and change passwords, anyway. And I'll have authenticated Submission protocol for mail submission and absolutely no SMTP relaying--even for the local LAN or even the local host. And IMAP will be encrypted, and passwords will not match between users & services.
The DNS thing still puzzles me. What alerted me to the problem was that my homepage quit working, and when I pinged the hostname it was pointing to a foreign server. It wasn't an ARP spoof, it was a DNS spoof, and they didn't seem to get into any local machine so I don't know how they managed that. It may be a side result of all inbound traffic appearing local. At the moment the DNS spoof appears to be coincidental, but it's a heck of a coincidence. Oh, this particular DNS is a DynDns entry, so they might have coughed up a wrong IP, too.
(edited for spelling...really need to get an in-browser spell checker for all the fat fingering I do)